Overview

overview

10

Static

static

10

19c84f8f12...73.exe

windows7_x64

10

19c84f8f12...73.exe

windows10_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

  • Size

    207KB

  • Sample

    220124-cyabasadep

  • MD5

    aa7f122412d4914c4554b7091d3abd03

  • SHA1

    95447dae22f5019d9f898ad430a991fe1f29645e

  • SHA256

    19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

  • SHA512

    713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

Score
10/10
neshtasodinokibi$2a$10$lrcppn0ag9emlvtqfengpedxsggq66ieqq0jst1au61vf8vi3tmr23382persistenceransomwarespywarestealer

Malware Config

Extracted

Path

C:\d3eci84-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension d3eci84. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3D67D81A4B07460B 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/3D67D81A4B07460B Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: IDFDyQo3dEDYit7/aeK1HuymzAsFlPO1sHoONk5vb/CIAldBo9B0TR+FbY11GpdF LTYy5+SrgIPS336CsofZk0I3ZYyQIza9+QQqR8YFQCqYCJ7N3+UEt173rb5Dx6tG fdwTkahj9ymXKkZFHjWHedExCs8x4Gx6449psvTWUbjz5xi5QT19uAJyfqDhjVIx OoTxK8OYNNfWnapMzwYacRSU6GZyhZhAN8Uktkkp72EGJjyuMUk17rluChNaNEom HU+jRodvuY/i6FWUB4Y6K+sPK6FDEzCi/l8ol03uHQivL8FUOs+urren6isf1dQo soP+cPtk0Yk0qjQBcqRrFDTIvSDImkATBdFPFl0k8kARxTtg/sFpKnqTP2UtKpV1 Cj5He2Ym6PBKivFUqrtlawt01ec/Udn8yOHA/FR/MKIQ9ZTtjJN96VuK4sUTWw1y WzD8nb2zHVru+DCZG7LNDKULaWhAb3yLQycqOby5O18SpX4tpX2JO0ik4d5IKs/Z mzDsE+f0CUQSn7G+OjWVe1D5XFPHRzL4hEOxW1jjaxHfaoXnROwaW0+EWDXdu89F byNYKLmSASmqURjLi168aMZofQrYnAdlh43c9r6OQIreuP3xQOS6MSq/REbfjaO3 co0cE6sKcPXyFEzIBLAJ5jZMCfcvt9oesIOWwm5cv+MmAY5o3nOrbiZTQ+tA0dkm VmbRy2b5BvBwOP+W5kYSYYkxash4UTWJDB9xTbtx9GeOPguw1rrG5Rt+sLTz65C8 S93TxY0brYajmZPO4AYwgO4U3nQXx1lIQXeA9z+LSW3pabn1pADf0C0ZA0OpfARy 6P/vw8maQ1kd3kfLETD5+ERJ5L3PQyk7D4ymYHXiaS1W1XQZRglGNSjdFzU0C1cD f/vE38p5ReRAD6tXcxfu7VIqUMapZLqPksjfY7ENQ65qlu2M1qjJS+srUHzsMRxO sR0ti96InEZNo4dVPYLMkgSJ8QrUlRTdKgUdKi1xeSqOwFRYmEQkXJY4P40qRMVF HkAXVOrLzPrt21SQoQv9O3iqapwJdrgEWpGgRU/f2P0keDBIhs6+0Ly5Th0Kvj9b 2A42QC1e82pt1O/TN1o8s3ScEJkzmD0eSDFPaBa9KEYaln1r0g45S+tOhLnIhpFt x9ytzi1b4O0G1H3fymrlI5yDcYEcHHskG6Mi55qnRvj0Ku1dN60xTTs4cP+zcuNY x9WjxbC1vLZ9pvit27olJcpzPZw1ulN+pCbLc0nLwtdtxPGRwalYc1xdJJc1Ek5G Btgg1uJx9QtwCB2UCVHu/r2+OFqEdeURspI= ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/3D67D81A4B07460B

http://decryptor.cc/3D67D81A4B07460B

Extracted

Family

sodinokibi

Botnet

$2a$10$lRCppn0ag9eMlVTqFENGPedxsGGQ66IEQQ0jST1aU61VF8vI3tMr2

Campaign

3382

C2

siluet-decor.ru

sobreholanda.com

peterstrobos.com

alvinschwartz.wordpress.com

euro-trend.pl

launchhubl.com

parking.netgateway.eu

portoesdofarrobo.com

alysonhoward.com

transportesycementoshidalgo.es

humancondition.com

fitnessingbyjessica.com

kunze-immobilien.de

psa-sec.de

trackyourconstruction.com

victoriousfestival.co.uk

you-bysia.com.au

buymedical.biz

teresianmedia.org

slimidealherbal.com
Attributes
  • net

    true

  • pid

    $2a$10$lRCppn0ag9eMlVTqFENGPedxsGGQ66IEQQ0jST1aU61VF8vI3tMr2

  • prc

    oracle

    visio

    tbirdconfig

    sql

    mydesktopqos

    isqlplussvc

    steam

    thunderbird

    ocautoupds

    xfssvccon

    ocssd

    onenote

    ocomm

    powerpnt

    excel

    outlook

    sqbcoreservice

    dbeng50

    agntsvc

    encsvc

    synctime

    dbsnmp

    winword

    thebat

    infopath

    firefox

    wordpad

    mspub

    msaccess

    mydesktopservice

  • ransom_oneliner

    All of your files are encrypted! Find {EXT}-readme.txt and follow instuctions

  • ransom_template

    ---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension {EXT}. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/{UID} 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/{UID} Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: {KEY} ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

  • sub

    3382

  • svc

    sql

    vss

    sophos

    mepocs

    svc$

    veeam

    memtas

    backup

Extracted

Path

C:\v9l7t9-readme.txt

Family

sodinokibi

Ransom Note
---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on your system has extension v9l7t9. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practice - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B0B8114E8C2ECF59 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/B0B8114E8C2ECF59 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: CmmZBfmBZiY8MNYiMjWKsA2nQBq9P5Z5DASQgA7sc2MwX90i6nI+UzBghU/L6EnW 3yOWWHguNADzX8DepMw3elv893OAE6NboWRVuR27rsBJJlQ7plNwTmTupjwxLB8I D5SuwtfDCJZvr6i9gRIWMgs95dyWmmCKECztgLjr8RYb5o18Cn4P/00PitVDHLqC 49GNbNoJUOMIlZfZyy31vpXl196sFi+zOetYT/dYIfRkiERs8m+kNFrEIbWwp8xr kU3siOKdKh3T0mOFZq/eE0xYt+zcRoA93y2u8vhPtdWOi5o7C1PcvHCJbyBoYkDd PYa0ByZ6DcVEjwhbqo3xjGGszSvJkxTL4SEivJPh/9fJiYKABxtzm+zu4QT33naw jqSgAExhu8aKkX7BohujcJSJ3dDblxeI6hxkxtSWwaetj+XqpmEsw9XmWUVI+vVJ Fk+TwiE32VV8aosyVhyWBdVVRb4lbjs4MzxvEI0u7COpc6/PXFS1Eczqn628gn6E BtGpyPq2oiFb566GnyLF4gw3c+DnV++snWmR1tQY55WVjsi2FB5tB08e2/xS06nY blS8QN1VfDH0+yYGv88y3jqLEYs10T9/SPdBNqybWpmx6uhuG1x8yAKrUGsT+NEq /8/Ru/veYoVwFpg4i7Qcfeltv/+3haqVlnwvi9tNXKS6RIsPGdaCjd5HzDu50ZCu /tAKvFK+4Q+zBIcRDe1AfVGwzu12Cs50GUjUyCf5YElDgOsw3vUFoDLikXAyP8eW RgJTfPpKK/vPmM2ZaodSzW8IY8gDx2HWv4w3hOFiBW3KEPHDcSYM4mr5uJvAVMw2 STMp80nAdQJrtAaXnXYTfCGddIjhwvOjWYqt97io+F/bLbbedoeCvCk3urAuis0b ANihVATaesWEzWXZz1oVmKlYWal/+WKIlEh6F2CnCVeh1GD83gs7ClWPDqW9tovB XBzXrWdmjNIElctituQQvxhJyYYWj60V54k+4QPoAsSmkrpL6ZB7sYJZqsmmWE8d yw2ivpYfyCv/3jwmDmfBe8GMjBvUoP+nHWgRPX2qwS7cocpffEHmhr6v/b50BYp/ E4aWA+zia6nLNgzXPj9yrO1lwYAH+yvIEFNthkmVNjO1r+itmZJy0ym+OaaZvpRm PFna2vX57sDxpiE1lfXhYqScjgzI0CGb2h2aEtLCtYvUJgVOxqNXpSnUptxbs8/O V4fgKslOPnXqDitrhWQQg7X1/lSZtZdPv4pSFk9iTQrXVZm/gXje/jyg6B+HAw2p 9tm9XSH5rMK5AsH1c5SCjw== ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damage of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!
URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/B0B8114E8C2ECF59

http://decryptor.cc/B0B8114E8C2ECF59

Targets

    • Target

      19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

    • Size

      207KB

    • MD5

      aa7f122412d4914c4554b7091d3abd03

    • SHA1

      95447dae22f5019d9f898ad430a991fe1f29645e

    • SHA256

      19c84f8f12a31ea6c18309732f601da8d5f07363243075afd3c92cf6f9655e73

    • SHA512

      713eec51423eebc5a24e5d1c219b7cf369068453d0a193c6b77ca722469abce43a784a59ad69055c987de91fdbd22a3e74ae86f6d449dcf44ac1940aa075cc2b

    Score
    10/10
    neshtasodinokibi$2a$10$lrcppn0ag9emlvtqfengpedxsggq66ieqq0jst1au61vf8vi3tmr23382persistenceransomwarespywarestealer

    • Modifies system executable filetype association

      persistence

    • Neshta

      Malware from the neshta family is designed to infect itself into other files to spread itself and cause damage.

      persistencespywareneshta

    • Sodin,Sodinokibi,REvil

      Ransomware with advanced anti-analysis and privilege escalation functionality.

      ransomwaresodinokibi

    • Executes dropped EXE

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Change Default File Association

1
T1042

Registry Run Keys / Startup Folder

1
T1060

Privilege Escalation

Defense Evasion

Modify Registry

4
T1112

Install Root Certificate

1
T1130

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

2
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Defacement

1
T1491

Tasks